Is IT security missing the mark?
The Information Week 10th Annual Global Information Security Survey was released recently and many government agencies, companies and security professionals seem surprised that data loss and theft continues to take a back seat to other types of security breaches when it comes to applying resources and dollars for protection efforts. Security professionals continue to focus on the security threats with which they are most familiar with and relegate those other emerging threats such as theft of customer information and intellectual property to a much lower position on their ‘concerned about’ lists. Even though recent legislation and regulations attempt to address data theft and loss in some manner, these regulations provide mostly soft suggestions on how to address the problem. The Department of Homeland Security’s National Cyber Security Division has also indicated that those protecting corporate security are potentially focusing on the wrong things and that organizations need to know what data they collect, where it is stored, and who has access to it. So with all of this said I am no longer amazed by the number of corporations that do not have an inventory of their computing assets and specifically their critical data or information assets. They continue to lack a thorough understanding of which servers or databases the information that is of the utmost importance to their organization resides on. This almost ubiquitous lack of a comprehensive data inventory by firms keeps them from properly protecting their critical information and data. It does not seem to matter whether that information is legally protected personal healthcare information of patients, credit card information of current or past customers, critical intellectual property which could give a competitive advantage or access to information that terrorists could use to attack our critical infrastructure; all seem equally unprotected. This continues to be the norm for many corporations from all of the industry segments (healthcare, financial, manufacturing, pharmaceutical, utilities, and etc.), and even some governmental organizations, despite all of the regulations and best practices that seem to constantly be discussed in the general media and presented at security forums and industry trade symposiums. Many organizations, some considered part of our critical infrastructure, have thousands of unstructured and unprotected data stores, files and e-mails. Often times this data represents as much as 75 percent to 85 percent of a company's mission critical or customer/patient specific data. Typically it is scattered across networks and is often invisible. This type of information consists of everything from multiple copies of the same data to critical e-mail threads existing in flat archive files that relate to confidential or proprietary information, legal contracts, or personal or financial information about the company, former patients, students or employees. Every time a loss of data occurs, and they seem to be occurring with ever increasing frequency and cost (e.g., a recent ASIS survey indicates financial losses from proprietary information and intellectual property theft or loss in the area of $50 billion per year), that loss seems to involve critical or private information that was supposed to be protected by the corporation or government entity who held it. That data which has been lost or stolen generally comes from either a stolen or misplaced laptop or some corporate system without proper information security controls in place. Why? The reason seems to boil down to four basic reasons: 1) A lack of understanding of type and location of data stored on company resources, 2) A lack of policies and procedures adequately governing and protecting that data, 3) A lack of awareness training on the importance of data to their company and its customers, and/or 4) A lack of focus by senior management and/or the organizations security professionals on critical and sensitive data identification and protection. If you as a senior manager, a corporate security officer, business continuity director, CIO, or business unit manager deem the data and information that your organization is responsible for or uses as important, critical and/or sensitive you need to step back and take a few basic steps to protect it. Information discovery and classification As highlighted above, I have been called in on many occasions to help an organization to develop an information protection program only to find that they do not know where all their critical data is. In fact many do not have current asset inventories of computing equipment. Once the information has been identified and you know where it resides it is necessary to develop a system to properly classify that data. In general four basic classifications work for many companies, that is: public; internal use only; proprietary; and confidential. - Public - information in the public domain, annual reports, press statements and etc. which have been approved for public use. Security at this level is minimal. - Internal use only - information not approved for general circulation outside the organization, its loss would be an inconvenience to the organization or management, however disclosure is unlikely to result in financial loss or serious damage to credibility (examples: internal memos, minutes of meetings, internal project reports and etc.). Security at this level is controlled but normal. - Proprietary - information of a proprietary nature; procedures, specialized processes, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for internal use only by authorized personnel. Security at this level is high. - Confidential - information that if made public or even shared around the organization could seriously hinder the organization's operations or violate government regulations or laws. Such information would include accounting information; business plans; sensitive customer, student or patient information; attorney and accountants etc.; patient's medical records and similar highly sensitive data. This information should not be copied or removed from the organization's operational control without specific senior management or governmental authority. Security at this level must be very high. Now that the data has been classified, proper protection based on its classification can be implemented. Along with the classification, data retention guidelines need to be established for each level of data. These guidelines should be reviewed and adjusted by the data owners along with details of who should have privileges to create, change, review, modify, or delete the data. Protecting the data Virus protection – across the organization there should be a virus protection strategy for all computing devices – servers, laptops, and desktop devices. The virus protection software should be maintained and virus signatures updated as frequently as the manufacturer of the anti-virus software recommends. Security policy – there should be a security policy which has been communicated by the senior management (to show the importance to the organization) and translated into internal processes and procedures (access control, network management, firewall administration, intrusion detection, Internet and e-mail use, and etc.) and awareness training throughout the organization. A security plan should be developed that properly protects all of the data whether at rest (in storage) or on the move (all points where the data is transmitted to or received from). ISO 17799:2005 offers a good set of security controls for information security and can be a tool to aid organizations in developing programs and to address regulatory compliance. Laptops should be controlled by some type of policy to either encrypt critical data stored on them or to ensure that critical data is NEVER stored on them. All security policies, processes and procedures should be periodically assessed to ensure that they are being followed and continue to be adequate for the mission of the organization. Most of the security breaches I have investigated have all come from good sound security processes that were not being followed. Patch management plan – a plan to ensure that all recommended computing and/or software manufacturers’ recommended security patches are installed into the organization’s computers in a timely fashion. I have witnessed corporations who have suffered hundreds of thousands of dollars in losses from security breaches for which a patch had been out for several months. Data storage and recovery plan – a plan for the proper storage of all information for the period of time that it needs to be maintained (data retention based on classification of data) for. This can be in the form of off site replication, archiving of files off site etc. The plan should also include data restoration tests to ensure that data is being properly saved and can be restored when and if necessary. Disaster recovery plan – a plan for the resumption and restoration of an organization’s operations following an incident where data or other critical operational elements of an organization are adversely affected. The plan should be tested regularly (once a year at least) to make sure that it is still fit for purpose. In summary Don’t let complacency be the reason for your organization’s failure to protect critical or sensitive data. The author
•Date: 10th August 2007• Region: US/World •Type: Article •Topic: ISM |
